Functional Safety Critical for Autonomous Cars

PARIS — For decades, for any semiconductor company aiming to get a foot in the door to the automotive electronics market, the first order of business was clearing the Automotive Electronics Council's AEC-Q100 standard, a critical stress-test qualification for automotive ICs.

This is still the case. But it might not be enough for entry into a future of fully autonomous cars, with the Advanced Drive Assistance System (ADAS) as its maiden technology.

As daunting as the functional safety standard is, Freescale Semiconductor has taken up the challenge. Freescale announced today its collaboration with Green Hills Software and Neusoft Corp. to develop a comprehensive ADAS vision system built on an ISO 26262 ASIL (Automotive Safety Integrity Level) assessed software foundation.

The basic building blocks include Cognivue Corp.'s APEX image cognition processing IP, now available from Freescale. Advanced, silicon-aware software will come from Neusoft's ADAS vision applications and Green Hills Software's safety-certified Integrity operating system and tool chain. Freescale has an exclusive partnership agreement in place with functional safety expert Green Hills for the automotive domain, according to Allan McAuslin, Freescale's ADAS product manager.

Neusoft Automotive, of Shenyang, China, Freescale’s partner, is armed with more than 10 years of R&D expertise in vision-based and sensor-fusion driver assistance.

Cost and design implications
The ISO 26262 potentially carries a risk for every chip vendor eyeing the growing ADAS market. The easiest challenge is designing an ADAS system, enabled by a certain chip (and module), to warn a driver about what's in front of the car. But if the ADAS system is expected to take control from the driver when danger is imminent, the implications for long-term reliability are huge, says McAuslin. Of course, the industry is also aware of the implications for its liability.

More significantly, ISO 26262 poses massive ramifications for the design and cost of fully automated cars. As the technology develops, the cost of safety often will require "redundancy" in systems, McAuslin observes. But economy cars, like Ford Focus, will only stay economical by trimming away safety redundancies while not compromising safety. This will be a neat trick.

"The ADAS software platform battle is just getting started," says Egil Juliussen, director of research for Infotainment and ADAS at IHS Automotive. The players are just positioning themselves for future growth, he notes.

Juliussen, calling ISO 26262 "very important," sees it having "a long-term impact on software reliability over the next decade."

The concept and techniques for functional safety, represented in ISO 26262, are well established. But how different industries apply them is another story.

He said in a video interview, speaking of the failure of the Therac-25 radiation therapy machine in the mid-1980s and a 1991 Patriot Missile failure, "Time and time again, we heard in both cases that people were saying 'We did a lot of testing'; and they named the number of hours they did testing... But in hindsight, the lesson we learned was there were software defects, and those software defects were lethal...

"So, counting the number of tests, or even the kinds of testing, is not sufficient. You have to do what's called functional safety. You have to build the safety case. And we are not inventing these techniques. These techniques exist, and they have existed for some time. It's a matter of applying those."

Functional safety
So, where are we with the automotive industry when it comes to functional safety?

Agreed! My 2010 car has had more computer/electrical issues than I care for. I miss the days when the car didn't think so much for me. What we really need in the US is enforcement of laws. Enforce "distracted driving" laws and keep cars simple.

Depending on the current state of the vehicle the stop might not be too 'smooth'. Anyway - following current legislation (hopefully not only here in Germany implemented that way) the following driver has to keep a distance that enables him to stop without touching.

"...safe state is "stopped". Thus all propulsion components are - relatively - easy to implement."

I also had the same thought in my mind that safe state would be a smooth stop, Then a question occurred to me...what would happen in a busy highway where, all the vehicles are moving at high speed and suddenly a car stops due to a failure...would that be safe for others behind? I did not find the answer yet.

We can't even eradicate "unintentional acceleration" or deal with key chains laden with half a dozen keys in cars, yet designers and companies are unwilling to even admit to such problems right now. The cost of a standard automobile continues to rise faster than the cost-of-living and the electronics in a car costs 5x what a consumer-level equivalent would cost - and it's even higher when bought over the dealers' parts counter. We're a long way from a car driving itself successfully or cheaply. So stay sober and stop reading your phone. Or maybe your seat will buzz you to attention.

Regarding the safe state, automobiles are not that critical:Believe it or not - he safe state is "stopped". Thus all propulsion components are - relatively - easy to implement.

Other things like braking or airbag are much more challenging thinking of autonomous vehicles: if ABS detects a failure it is sufficient to light the MIL (malfunction indicator lamp). This will not really help in an autonomous vehicle...

I would say, a fail-safe system for Autonomous cars , where a worst case scenario could be the engine failure, A back up system with a battery powered drive and braking system and the software that could take the car to the curbside safely- the way it is done for autonomous lifts when there is a power failure.

When a safety system is designed and accessed, it stresses on defining the safety function of the system and also it stresses in defining "safe state" of the system in case there is a failure. The intention behind designing a functional safety critical system is only to minimize "undetected dangerous" failures. Hence as per the safety standards, ISO26262 / IEC 61508, there are limits set for probability of dangerous failure (PoDF) & Safe faulre fraction (SFF);

Hence, a safety system is allowed to fail but shall fail safely. I wonder what would be the "safe failure" for ADAS if a potentially dangerous failure is detected or if there is a "safe failure"....what would be the safe state then? Engine shutdown? Certainly not? on a highway this could create troubles.